[Bro] required ports open for cluster?

erik clark philosnef at gmail.com
Tue Nov 8 05:23:38 PST 2016


Just to compound the issue, no matter what host in the cluster I set the
logger destination to, I get zero logs. I am running 2.5beta1. I've
disabled iptables all around to see if that was causing a problem, but it
does not seem to be the case, as I have a pcap showing what appears to be
bro dns logs attempting to go across the wire to the logger. They just
aren't being written....

On Tue, Nov 8, 2016 at 7:13 AM, erik clark <philosnef at gmail.com> wrote:

> (Sorry accidentally sent this to just Justin)...
>
> Cool. I had punched the holes after running tcpdump on it for a while and
> saw it trying to talk back. However, the one thing I don't understand is
> that my logs arent being written back to  the logger host, even though
> communication is open.
>
> /data/bro/logs/current
>
> is empty on the logger. All I have there is an stderr.log and an
> stdout.og. Neither the workers on the logger machine itself, nor the remote
> host, are logging to that directory. Are they being kept somewhere else? I
> dont see them anywhere in the /data/bro/(spool/log) directory....
>
> On Mon, Nov 7, 2016 at 12:24 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>> It will be in the documentation for 2.5
>>
>> https://www.bro.org/sphinx-git/components/broctl/README.html
>> #bro-communication
>>
>> --
>> - Justin Azoff
>>
>> > On Nov 7, 2016, at 12:13 PM, erik clark <philosnef at gmail.com> wrote:
>> >
>> > Ok, so I dont see this in any documentation on bro.org. I have a
>> logger running on the same box as the manager, but I do not see any logs
>> being generated in /data/bro/logs/current.
>> >
>> > I am assuming this is because traffic is being dropped on the floor
>> because iptables is in a default reject state? Where is the explicit
>> listing of ports that you need to punch in either firewalld or iptables?
>> >
>> > https://www.bro.org/sphinx/components/broctl/README.html
>> >
>> > does not have them listed, or any rule to have an entry in node.cfg to
>> set the port to a specific number... Thanks!
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161108/7eea1016/attachment.html 


More information about the Bro mailing list